Sun Microsystems, Inc.
spacerspacer
spacer   www.sun.com docs.sun.com | | |  
spacer
black dot
   
A   B   C   D   E   F   G   H   I   J   K   L   M   N   O   P   Q   R   S   T   U   V   W   X   Y   Z
    
 
System Administration Commandsikecert(1M)


NAME

 ikecert - manipulates the machine's on-filesystem public-key certificate databases

SYNOPSIS

 ikecert [certlocal] [ -a | -e | -h | -k | -l | -r] [option_specific_arguments ...]
 ikecert [certdb] [ -a | -e | -h | -l | -r] [option_specific_arguments ...]
 ikecert [certldb] [ -a | -e | -h | -l | -r] [option_specific_arguments ...]

DESCRIPTION

 

The ikecert command manipulates the machine's on-filesystem public-key certificate databases. See FILES.

ikecert has three subcommands, one for each of the three major repositories:

  • certlocal deals with the private-key repository,
  • certdb deals with the public-key repository, and
  • certrldb deals with the certificate revocation list (CRL) repository.

OPTIONS

 

Each subcommand requires one option, possibly followed by one or more option-specific arguments.

The following options are supported:

-a
certlocal
When specified with the certlocal subcommand, this option installs (adds) a private key into the Internet Key Exchange (IKE) local ID database. The key data is read from standard input, and is in a Solaris-only format.
certdb
When specified with the certdb subcommand, this option reads a certificate from standard input and adds it to the IKE certificate database. The certificate must be a X.509 certificate in PEM Base64 or ASN.1 BER encoding. The certificate adopts the name of its identity.
certrldb
When specified with the certrldb subcommand, this option installs (adds) a CRL into the IKE database. The CRL reads from standard input.
-e slot
certlocal
When specified with the certlocal subcommand, this option extracts a private key from the IKE local ID database. The key data are written to standard output. The lot specifies which private key to extract. Private keys are only extracted in binary/ber format.

Use this option with extreme caution. See SECURITY.

-e [-f output-format] certspec
certdb
When specified with the certdb subcommand, this option extracts a certificate from the IKE certificate database which matches the certspec and writes it to standard output. The output-format option specifies the encoding format. Valid options are PEM and BER. This extracts the first matching identity. The default output format is PEM.
certrldb
When specified with the certrldb subcommand, this option extracts a CRL from the IKE database. The key data are written to standard output. The certspec specifies which CRL that is extracted. The first one that matches in the database is extracted. See PARAMETERS for details on certspec patterns.
-kc -m keysize -t keytype -D dname -A altname[ ... ]
certlocal
When specified with the certlocal subcommand, this option generates a IKE public/private key pair and adds it into the local ID database. It also generates a certificate request and sends that to standard output. For details on the above options see PARAMETERS for details on the dname argument and see ALTERNATIVE NAMES for details on the altname argument(s) to this command.
-ks -m keysize -t keytype -D dname -A altname[ ... ] [-f output-format]
certlocal
When specified with the certlocal subcommand, generates a public/private key pair and adds it into the local ID database. This option also generates a self-signed certificate and installs it into the certificate database. See PARAMETERS for details on the dname and altname arguments to this command.
-l [-v] [slot]
certlocal
When specified with the certlocal subcommand, this option lists private keys in the local ID database. The -v option switches output to a verbose mode where the entire certificate is printed.

Use the -v option with extreme caution. See SECURITY.

-l [-v] [certspec]
certdb
When specified with the certdb subcommand, this option lists certificates in the IKE certificate database matching the certspec, if any pattern is given. The list displays the identity string of the certificates, as well as, the private key if in the key database. The -v switches the output to a verbose mode where the entire certificate is printed.
certrldb
When specified with the certrldb subcommand, this option lists the CRLs in the IKE database along with any certificates that reside in the database and match the Issuer Name. certspec can be used to specify to list a specific CRL. The -voption switches the output to a verbose mode where the entire certificate is printed. See PARAMETERS for details on certspec patterns.
-r slot
certlocal
When specified with the certlocal subcommand, deletes the local ID in the specified slot. If there is a corresponding public key, it is not be deleted.
-r certspec
certdb
Removes certificates from the IKE certificate database. Certificates matching the specified certificate pattern are deleted. Any private keys in the certlocal database corresponding to these certificates are not deleted. This removes the first matching identity.
certrldb
When specified with the certrldb subcommand, this option deletes the CRL with the given certspec.

PARAMETERS

 

The following parameters are supported:

certspec
Specifies the pattern matching of certificate specifications. Valid certspecs are the Subject Name, Issuer Name, and Subject Alternative Names.

These can be specified as certificates that match the given certspec values and that don't match other certspec values. To signify a certspec value that is not supposed to be present in a certificate, place an ! in front of the tag.

Valid certspecs are:

 
<Subject Names>
SUBJECT=<Subject Names>
ISSUER=<Issuer Names>
SLOT=<Slot Number in the certificate database>

Example:"ISSUER=C=US, O=SUN" IP=1.2.3.4 !DNS=example.com
Example:"C=US,   O=CALIFORNIA" IP=5.4.2.1 DNS=sun.com 

Valid arguments to the alternative names are as follows:

 
IP=<IPv4 address>
DNS=<Domain Name Server address>
EMAIL=<email (RFC 822) address>
URI=<Uniform Resource Indicator value>
DN=<LDAP Directory Name value>
RID=<Registered Identifier value>

Valid Slot numbers can be specified without the keyword tag. Alternative name can also be issued with keyword tags.

-A
Subject Alternative Names the certificate. The argument that follows the -A option should be in the form of tag=value. Valid tags are IP, DNS, EMAIL, URI, DN, and RID (See example below).
-D
X.509 distinguished name for the certificate subject. It typically has the form of: C=country, O=organization, OU=organizational unit, CN=common name. Valid tags are: C, O, OU, and CN.
-f
Encoding output format. pem for PEM Base64 or ber for ASN.1 BER. If -f is not specified, pem is assumed.
-m
Key size. It can be 512, 1024, 2048, 3072, or 4096.
-t
Key type. It can be rsa-sha1, rsa-md5, or dsa-sha1.

SECURITY

 

This command can save private keys of a public-private key pair into a file. Any exposure of a private key may lead to compromise if the key is somehow obtained by an adversary.

Refer to the afterword by Matt Blaze in Bruce Schneier's Applied Cryptography: Protocols, Algorithms, and Source Code in C for additional information.

EXAMPLES

 Example 1. Generating a Self-Signed Certificate
 

The following is an example of a self-signed certificate:

 
# ikecert certlocal -ks -m 512 -t rsa-md5 -D "C=US, O=SUN" -A
IP=1.2.3.4
Generating, please wait...
Certificate generated.
Certificate added to database.
-----BEGIN X509 CERTIFICATE-----
MIIBRDCB76ADAgECAgEBMA0GCSqGSIb3DQEBBAUAMBsxCzAJBgNVBAYTAlVTMQww
CgYDVQQKEwNTVU4wHhcNMDEwMzE0MDEzMDM1WhcNMDUwMzE0MDEzMDM1WjAbMQsw
CQYDVQQGEwJVUzEMMAoGA1UEChMDU1VOMFowDQYJKoZIhvcNAQEBBQADSQAwRgJB
APDhqpKgjgRoRUr6twTMTtSuNsReEnFoReVer!ztpXpQK6ybYlRH18JIqU/uCV/r
26R/cVXTy5qc5NbMwA40KzcCASOjIDAeMAsGA1UdDwQEAwIFoDAPBgNVHREECDAG
hwQBAgMEMA0GCSqGSIb3DQEBBAUAA0EApTRD23KzN95GMvPD71hwwClukslKLVg8
f1xm9ZsHLPJLRxHFwsqqjAad4j4wwwriiUmGAHLTGB0lJMl8xsgxag==
-----END X509 CERTIFICATE-----
Example 2. Generating a CA Request
 

Generating a CA request appears the same as the self-signed certificate. The only differences between the two is the option -c instead of -s, and the certificate data is a CA request.

 
 
# ikecert certlocal -kc -m 512 -t rsa-md5 \
   -D "C=US, O=SUN" -A IP=1.2.3.4

EXIT STATUS

 

The following exit values are returned:

0
Successful completion.
non-zero
An error occurred. Writes an appropriate error message to standard error.

FILES

 
/etc/inet/secret/ike.privatekeys/*
Private keys. A private key must have a matching public-key certificate with the same filename in /etc/inet/ike/publickeys/.
/etc/inet/ike/publickeys/*
Public-key certificates. The names are only important with regard to matching private key names.
/etc/inet/ike/crls/*
Public key certificate revocation lists.

ATTRIBUTES

 

See attributes(5) for descriptions of the following attributes:

ATTRIBUTE TYPEATTRIBUTE VALUE
AvailabilitySUNWcsu

SEE ALSO

 

in.iked(1M), attributes(5)

Schneier, Bruce, Applied Cryptography: Protocols, Algorithms, and Source Code in C, Second Edition, John Wiley & Sons, New York, NY, 1996.


SunOS 5.9Go To TopLast Changed 2 Jan 2002

 
      
      
Copyright 2002 Sun Microsystems, Inc. All rights reserved. Use is subject to license terms.